Wire managed MITM CA trust into child env

[winston-openai]

Stack

1. Parent PR: Use named MITM permissions config #18240 uses named MITM permissions config.
2. This PR wires the managed MITM CA into spawned child process trust.

Why

1. The managed proxy already creates $CODEX_HOME/proxy/ca.pem, but spawned HTTPS clients only receive proxy URL environment variables.
2. When Codex terminates HTTPS for limited mode or MITM hooks, common child clients need a CA bundle that trusts the managed proxy without dropping native/custom roots.

Summary

1. Build $CODEX_HOME/proxy/ca-bundle.pem from native roots, inherited custom CA bundles, and the managed MITM CA.
2. Export common CA bundle env vars alongside managed proxy env vars when MITM is active.
3. Document the managed CA bundle behavior and cover the env injection in tests.

Validation

1. Ran cargo test -p codex-network-proxy.
2. Ran just fix -p codex-network-proxy.
3. Ran just bazel-lock-update.
4. Ran just bazel-lock-check.

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}